Lessons, does anyone ever learn?

Under the heading, the more things change, the more the stay the same...

I found this interesting paragraph in a government sponsored research
report. To make it more interesting, I'm not going to tell you the
date of the report, or the network the authors were talking about.
Since the US Government paid for the work, copyright isn't a concern,
now if that ain't a hint, I don't know what is :slight_smile:

"Among them they noted that while worst case analysis had been done, the
particular scenario had not been studied. The also suggest operators
did not have all the data they needed to make proper decisions. Particularly
notable was that no one could see the big picture across the entire
system. The authors suggest that there is substantial improvement
needed to the modeling process. For example, models used for planning
are different than models used for online monitoring and control. Finally,
there are thousands of system components, and as many problems waiting
to occur.

Based on these observations the authors suggest the following:
   - Online dynamic security assessment tools, and security indices.
   - Wide area communication network and system monitoring process.
   - National standards for operations and engineering.
   - Improved system planning and risk assessment methods.
   - Standard system planning and operating data models.
   - Validated data in simulation models.
   - Wide area measurement and controls."

Since there is currently a $2.8billion budget request pending before
Congress to fund critical infrastructure protection, do you sometimes
get the feeling some researchers just cut & paste their old analysis
into whatever today's hot topic is?

Yes, but that's not the scary part.

The scary part is that this monetary tag may never make it to the people
who might actually do the work.

- paul

As a footnote referencing the budget request Sean lists below, take a look at http://www.ciao.gov/roadmap-c.pdf for specific information and http://www.ciao.gov/roadmap-main.pdf (table 2.3) for a general summary. These references are from the July 1998 Critical Infrastructure Assurance Office's summary of "Information and Communications Infrastructure."

It's old data for some of you, but still worthwhile as a refresher since the gummin't takes a while to throw some money and monkey wrenches at these reports...

So: Regardless of how often they regurgitate the same discoveries, we know that the government doesn't trust current development and risk assessment of "the network" (be that network the current Internet or some IP based network of the not-so-distant past.) For those of us in the US that have to contend with the results any US-based legislation, what does it mean? Will we have to build our IP networks according to a certain planbook? Will we be required to allow inspections to confirm compliance? Will international providers of traffic need to comply with US-specific guidelines before being allowed to "import" their packets?

I'll throw my opinion of "No" on the table and see if anyone disagrees. I really see no way to implement meaningful risk assessment and coordinated security controls across such an already huge number and variety of private networks. These risk assessment studies that CIAO is doing are interesting, but what can be the end result of so much expense and examination? Not a lot that will directly change the higher-layer protocols (eg: layer 2/3 and up) that are currently being used, at least not without a lot of burdensome legislation that might stifle the industry. I think such a burden will be enough to scare legislators away from passage of such laws.

Should this discussion really go on com-priv? (or as the case may be in this throwback to governmental control of the network: "priv-com" :wink: